Millions of Americans have their identities stolen each year, where thieves may drain consumer accounts, damage their credit, and even threaten their physical or medical safety. The costs to consumers and to organizations can be enormous.
In response to the growing threat of identity theft, Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA) primarily targeting financial organizations that deal with individual credit accounts.
The law was later expanded to include identity theft in any organization where personal information is used in the normal course of business involving credit or finance.
In November 2007, the Federal Trade Commission finalized Red Flag Rules to encourage recognition and detection of warning signs of potential identity theft and take steps to prevent fraud from occurring.
Typically, the theft of identity is committed by a person or group who plans to use someone else’s information to get products or services without permission and without paying, or to sell that information to other entities that may do the same.
Elon University provides substantial resources and guidance to strengthen protection all types of information, that are described in Elon's Data Security Policy. (For more information see Data Security Guidelines and Resources at end of this page.)
In addition to data security practices and guidelines, Red Flag Rules are designed to enhance the prevention identify theft by implementing policies to specifically help protect personal identifying information. Elon University is working to prevent identity theft and fraud on two fronts:
- By implementing data security practices that make it more difficult to gain unauthorized access to personal or identifying information that may be used to open or access accounts, and
- By teaching faculty and staff to recognize and detect Red Flags that may be warning signs of potential identity theft and take steps to prevent fraud from occurring.
Elon University has developed an “Identity Theft Prevention Policy” for existing and new accounts. In addition to data security, this policy is intended to prevent and stop theft and fraudulent use of personal data and to help protect students, faculty, staff, and other constituents from damages related to fraudulent activity.
The following Questions and Answers are designed to familiarize you with the University’s policy and ways you may participate in the prevention of fraud and identity theft.
- What is identity theft?
- Fraud committed or attempted using the identifying information of another person without authority.?
- What is a Red Flag?
- A pattern, practice, or specific activity that indicates the possible existence of identity theft.
- What is considered identifying or sensitive information?
- Any name or number or data that may be used, alone or in conjunction with any other information, to identify a specific person in a manner that would enable someone to steal that person’s identity.
- What are some examples of identifying or sensitive information?
- Credit card information; social security number; business, employer, or student identification number; payroll information; benefits and insurance information; medical information; date of birth or date of death; address; phone numbers; maiden and other legal names; government issued identification numbers (such as driver’s license or passport number); tax identification numbers; or email address.
- How should hard (printed) information be safeguarded?
- Work areas, common shared work areas, or storage spaces containing documents with sensitive information should be locked at the end of each workday or when unsupervised.
- Whiteboards, dry-erase boards, writing tablets, etc. in common or open areas should be erased, removed, or shredded when not in use.
- When documents containing sensitive information are discarded make sure they are shredded in a cross-cut shredder.
- Know precisely which printer in your area where sensitive documents will be printed.
- DO NOT ask the print shop to print multiple copies of sensitive documents.
- What are some ways that electronic or digital information can be safeguarded?
- Click “No” when an application asks if you want to store your password or keep the application open.
- Use security features that may be present in your software, such as Microsoft Office products or PDFs.
- Transmit or transport sensitive data using only approved encrypting methods.
- Appropriately secure information stored in an electronic format from unauthorized access or disclosure at all times, including on hard drives, servers, flash drives, or other electronic devices.
- Do not remove sensitive data from the campus without explicit authorization to do so from the Assistant Vice President of Business and Finance or direct designee.
- Log-off from any applications and shut down your computer monitor when away from your desk to ensure that computer security is actively engaged.
- If you work with sensitive identifying information, orient your computer monitor away from the general public or unauthorized viewing.?
- What are some examples of Red Flags?
- A computer screen turned in a way that allows sensitive information to be viewed by visitors.
- Papers or printouts containing sensitive identifying information are left unattended on a desk, or unshredded documents thrown into a trash or recycling bin.
- An electronic data storage drive is not secured.
- Use of student, faculty, or staff identifying data without authorization to do so.
- Conversations discussing sensitive identifying information are audible to unauthorized individuals.
- Email containing sensitive identifying information is sent to unauthorized individuals.
- Sending or receiving any email containing a password.
- What are some ways I can help prevent identity theft?
- Protect your own identifying information by not keeping any hard copies unless absolutely necessary.
- Ensure that you have adequately secure passwords on all electronic devices.
- NEVER email your password.
- Shield your screen from unauthorized viewing.
- Properly log-out of any application into which you entered a password, code, address, or credit information.
- Apply these same safeguards to others’ personal identification information.
- Talk with your co-workers and supervisor if you notice practices that might be potential Red Flags.
- Discuss ways to correct conditions or practices in your department where sensitive identifying data might be compromised.?
- What do I do if I discover a Red Flag?
- If possible, stop or halt or remedy the Red Flag occurrence immediately.
- Describe the situation to your supervisor – or other university official - and help determine ways to address the situation.
- Once the situation is addressed, ensure that all employees in your department follow the same steps to prevent future Red Flags.
- Change passwords to security devices.
- Continue to monitor the activity.
- How do we reduce the risk of theft of identifying information?
- Discuss and examine procedures and methods that can be easily changed to reduce the potential for Red Flags.
- Ensure any business or registration website is secure or provide clear notice that the website is not secure.
- Ensure complete and secure destruction of paper documents and computer files containing individual account information.
- Ensure that office computers with access to individual account information are password protected.
- Avoid use of social security numbers.
- Ensure computer virus protection is up to date.
- Require and keep only the kinds of information that are necessary for University purposes.
- Thieves often try to get passwords, which can help them access all kinds of data, including data that can lead to identity theft. The Technology Helpdesk provides guidelines for creating more secure passwords used at work, along with [guidelines for resetting your Elon password] . You might also consider these same guidelines when creating personal passwords.
- Sophisticated thieves may use spyware or viruses to obtain personal identifying information, or to damage a database or system. The Technology Helpdesk provides suggested free resources to help prevent spyware and viruses from infecting your computer, and additional resources when
- If you suspect your if your computer is already infected.
- It is recommended that you backup your data periodically in the event of computer failure or a breach of data security. After completing your backup, remove your storage media and keep it in a safe, secured, and separate location away from your computer. It should always be kept away from extreme heat, extreme cold, and magnetic items. Use password protection or data encryption whenever possible on your storage media.
- Faculty and staff may [backup your My Documents folder from your computer to your space on the U drive] . Note that while this capability may provide an easily accessible copy of your documents, . Additionally, files stored on networks are not backed up . Finally, never save your files to the hard drive of a lab or library machine. The files on public machines are deleted every time the computer is re-started.
- FTC Identity Theft Website http://www.ftc.gov/bcp/edu/microsites/idtheft/
- Video: Protecting Personal Information: A Guide for Business http://ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html
- Federal Trade Commission, Bureau of Business Protection Business Center
"New 'Red Flag' Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft"
- "FTC Red Flags Rule", National Association of College and University Business Officers (NACUBO) http://www.nacubo.org/Initiatives/FTC_Red_Flags_Rule.html